EAP-TLS or PEAP-MSCHAPSV2 - is there a definitive answer for the DNS setting on Android phone?

Is there a definitive answer for the DNS field on an Android phone when trying to connect to either EAP-TLS or PEAP-MSCHAPSV2?

For example, does the CN and/or SAN on the certificate have to match the DNS alias of the Radius server, ie the machine on which the cert is installed?

When setting up PEAP-MSCHAPSV2 on a Pixel 6 no manual import of CA cert required. Set phone to trust-on-first-use and a connection is made. Not so easy for a Samsung S21FE. Looks like a manual import of CA is required, and then the dreaded DNS field appears. Both Android phones...

For EAP-TLS the DNS field always appears

This isn't an OpenWrt question. An AP in EAP mode transparently passes all cryptographic negotiations between the client and the RADIUS server.

The client's requirements to trust the server certificate will vary by client. EAP-TLS requires a client certificate. The server trusting this certificate is the full authentication in EAP-TLS, there is no password. PEAP-MSCHAPV2 uses only a server certificate (similar to most uses of https) and a user-password challenge of the client.

1 Like